Jerry M's picture

Appliance:  turnkey-nginx-php-fastcgi-16.0-buster-amd64

 

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package libnginx-mod-rtmp

 

How do I install?

 

 

Forum: 
Jeremy Davis's picture

To minimise the size of the images, we remove all the apt cache, so if you do not run 'apt update' first, it won't find any packages.

If it still fails, then please share the full output pf 'apt update'.

Jerry M's picture

Jeremy Davis's picture

After digging a little, there are a few possible causes. Depending on where you are located and/or where this server is running, the possibilities range from misconfiguration of the Debian mirror that your server is connecting to; a misconfigured (local) proxy mangling your traffic; a malicious attack (DNS poisoning); your ISP snooping on you (and mangling your traffic) or perhaps even a repressive regime interfering with the network traffic!

TBH, I'd expect that it's simply a flaky, misconfigured mirror, but the fact that it's not just the normal Debian repo, but also the security repo does raise my suspicions... Regardless of my suspicions, let's run with Hanlon's razor for now.

Actually, I just did a IP lookup of the 2 IPs that I can see in your screenshot (151.101.250.132 & 199.232.120.132) and they both belong to Fastly - which is who provides Debian CDN. They are also in the US (which doesn't really count as a "repressive regime by my books! - although perhaps you are using a VPN?!). It doesn't totally rule out a malicious actor, but it seems clear that it's not targeted, nor is it anything from your local network. And most likely it's just a buggy config or some corruption on the server side (or perhaps on yours?).

For what it's worth, I just tried hardcoding those IP addresses into my hosts file and tried updating. It worked fine for me. So I suspect that it was broken, but it's since been fixed.

Regardless, I suggest clearing your apt cache, rebooting your server and trying again. I.e.:

apt clean
reboot

Then retry the 'apt update'. If it still fails, double check the IP addresses from your previous screenshot against the new run. If they're the same (they shouldn't be) then we could try hardcoding IP addresses (to known good ones) in your /etc/hosts file.

Please let me know how you go. If it's still an issue, please post back.

Jerry M's picture

root@nginx-php-fastcgi ~# apt update
Err:1 http://deb.debian.org/debian buster InRelease
	403 Forbidden: header 'Content-Type' value denied [IP: 151.101.250.132 80]
Err:2 http://security.debian.org buster/updates InRelease
	403 Forbidden: header 'Content-Type' value denied [IP: 151.101.250.132 80]
Ign:3 http://archive.turnkeylinux.org/debian buster-security InRelease
Ign:4 http://archive.turnkeylinux.org/debian buster InRelease
Hit:5 http://archive.turnkeylinux.org/debian buster-security Release
Hit:6 http://archive.turnkeylinux.org/debian buster Release
Reading package lists... Done
E: Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease 403 Forbidden:
    header Content-Type' value denied [IP: 151.101.250.132 80]
E: The repository 'http://deb.debian.org/debian buster InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://security.debian.org/dists/buster/updates/InRelease 403 Forbidden:
    header 'Content-Type' value denied [IP: 151.101.250.132 80]
E: The repository 'http://security.debian.org buster/updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Jeremy Davis's picture

I can 100% confirm that the InRelease files from 151.101.250.132 are definitely signed. If the copies you're getting aren't, then they're being tampered with! Simple as that...

To be clean, that doesn't necessarily mean someone/something malicious, but the files you are getting are not the ones from the Debian server.

One thing that might work around that is using https instead of http. I.e. change the deb.debian.org URLs in /etc/apt/sources.list.d/sources.list & /etc/apt/sources.list.d/security.sources.list. Be careful not to do that fro the TurnKey repos (archive.turnkeylinux.org) as they don't have proper https certs so they will fail. The lack of https availability for the TurnKey repo shouldn't be an issue though, as they don't appear to be raising any issues.

Here's a command to do the URL update for you:

sed -i "\|debian.org| s|http:|https:|" /etc/apt/sources.list.d/*.list

If it still doesn't work, then you will need to do some sleuthing and/or complaining. If you are behind a proxy (somewhat common in corporate settings) then you'll need to tweak the config (or get in touch with someone who can). If you aren't behind a proxy, then I suggest getting in touch with your ISP and get them to stop doing whatever it is they're doing. A third option (which may or may not work if you're behind a local proxy) is to use a VPN (i.e. configure your TurnKey server to use incoming internet via a VPN). If your server is available publicly, then Setting that up so it works properly may be tricky. I've never done it before myself, so unfortunately I can't offer any advice...

If you manage to work it out, please let us know.

Jerry M's picture


 

root@nginx-php-fastcgi ~# sed -i "\|debian.org| s|http:|https:|" /etc/apt/sources.list.d/*.list

root@nginx-php-fastcgi ~# apt update

Ign:1 http://archive.turnkeylinux.org/debian buster-security InRelease

Ign:2 http://archive.turnkeylinux.org/debian buster InRelease

Hit:3 http://archive.turnkeylinux.org/debian buster-security Release

Hit:4 http://archive.turnkeylinux.org/debian buster Release

Get:5 https://security.debian.org buster/updates InRelease [65.4 kB]

Get:6 https://deb.debian.org/debian buster InRelease [122 kB]

Get:9 https://security.debian.org buster/updates/main amd64 Packages [268 kB]

Get:10 https://security.debian.org buster/updates/main Translation-en [142 kB]

Get:11 https://deb.debian.org/debian buster/main amd64 Packages [7907 kB]

Get:12 https://deb.debian.org/debian buster/main Translation-en [5969 kB]

Get:13 https://deb.debian.org/debian buster/contrib amd64 Packages [50.1 kB]

Get:14 https://deb.debian.org/debian buster/contrib Translation-en [44.2 kB]

Fetched 14.6 MB in 11s (1355 kB/s)

Reading package lists... Done

Building dependency tree

Reading state information... Done

90 packages can be upgraded. Run 'apt list --upgradable' to see them.

Jerry M's picture

Thank you for your assist.

Add new comment